| Re: Finally got it working my way [message #183591 is a reply to message #183587] |
Fri, 01 November 2013 19:07   |
Denis McMahon
Messages: 634
Registered: September 2010
Karma:
|
Senior Member |
|
|
On Fri, 01 Nov 2013 13:01:48 -0400, richard wrote:
> On Fri, 1 Nov 2013 16:33:55 +0000 (UTC), Denis McMahon wrote:
>
>> On Fri, 01 Nov 2013 07:54:35 -0400, richard wrote:
>>
>>> On Fri, 1 Nov 2013 07:50:58 -0400, richard wrote:
>>>
>>>> www.mroldies.net
>>>>
>>>> Don't bitch to me about the gawd awful mess of javascript.
>>>> thats the way it came in the package.
>>>> I don't care. It works.
>>>
>>> I'll be damned.
>>> the messy thing actually frickin validates.
>>
>> You're failing to validate your user input to ensure it complies with
>> expected values and handle out of range values suitably:
>>
>> Could not successfully run query (SELECT id,
>> atitle,btitle,artist,label,avid FROM A1972 WHERE id<101) from DB: Table
>> 'richbull_top100.A1972' doesn't exist
>
> no shit sherlock.
> furthermore, that code does not even exist on that page. show me the
> exact page you used.
I took one of the links on your page and hand edited it. This is the sort
of thing people will do to try and exploit any code errors in your
website.
If you understood the code you were using you should be able to tell from
looking at the error message I posted what I did and why it failed.
The lesson is this: Any data that your script receives as part of the
http request is susceptible to having been manipulated by external
parties with the malicious intent of exploiting bugs in the underlying
server software (php, apache, mysql) to hack your website. If you do not
perform suitable verification and validation of such data, your website
will eventually be hacked, and will then be subverted by criminals in
support of their criminal activities.
If I was an attacker, I would now know that the person who coded this
website did not properly validate and verify the request inputs. I
probably also know that there's php code and a mysql database behind the
website, and possibly that the coder used the deprecated php mysql_*
functions (that error message may be mysql_query specific). This could
mark the website as one that was worthy of further specific attacks aimed
at exploiting known bugs in either php or mysql.
This is how websites get hacked. We've been telling you this for years.
You've been ignoring us for years. We don't expect anything to change.
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]